News

Resources

Bitdefender, a leading global cybersecurity company protecting over 500 million users worldwide, continues to innovate with the introduction of “Detection of Cyberbullying and Online Predators” features included in Parental Control... Read More

BUCHAREST, Romania/SANTA CLARA, Calif, September 17, 2018 – a leading global cybersecurity company protecting over 500 million users across 150 countries, announced today that CRN®, a brand of The Channel... Read More

No More Rootkit in ZeroAccess?

The ZeroAccess crimeware package has beed made rather much of, in view of its advanced kernel-mode rootkit driver. The Sirefef rootkit is highly aggressive and rather hard to detect; it exhibits polymorphism, overwrites legitimate system driver files to replace them with its own and in some versions it even tries to shut down AV software .

However, recent versions seem to have left out this particular “feature”.E-threat researcher Biro Balazs explains:

‘The infection mechanism is the same as that of older versions (the initial dropper comes as a flash player installer from porn sites), but it lacks the usual components, particularly the x86 rootkit component(rtk32).

In both of the cases the dropper has an embedded Microsoft Cabinet File which contains the components:

But, as we can see, the new dropper contains only:fp.exe (the clean flash player installer) plus n32 ( p2p.32.dll) and n64 (p2p.64.dll), whereas the x86 rootkit component (rtk32) is missing. (Note: Only the important files have been highlighted):

Instead, it has two dlls(p2p.32.dll and p2p.64.dll). which are responsible for downloading further plugins. In our tests the 32 bit dll hasn’t downloaded any rootkit component, this could mean that this part of the infection mechanism has been left out of the game.

But why would the authors leave out the rootkit? One possible cause is the aggressive nature of the rootkit. By overwriting a legitimate driver, it risks rendering the system non-bootable (it might get deleted by an anti-malware solution).

In this case the VX-ers would lose control over the system, which obviously isn’t their goal.

For surviving the reboot, the package employs a technique also used by the first Sirefef/ZeroAccess variant (with the strange path “\\??\globalroot\Device\__max++>\”), namely CLSID hijacking – replacing the InprocServer32 entry from a well known ClassId from HKLM\Software\Classes\CLSID.

Ironically, the new, rootkit-less versions are easier to detect, so if we’d live in a perfct world where everyone runs antivirus software, ZeroAccess would be on its way out.’

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “DTD/xhtml1-strict.dtd”>
<body><div class=”noquote”><div dir=”ltr”>he infection mechanism is the same as that of older versions (the initial</div><div dir=”ltr”>dropper comes as a flash player installer from porn sites), but it lacks the</div><div dir=”ltr”>usual components, particularly the x86 rootkit component(rtk32). (eventual</div><div dir=”ltr”>as putea sa pun un print screen aici cu diferentele).&nbsp;</div><div dir=”ltr”>Instead it has two dlls(p2p.32.dll and p2p.64.dll). These are responsible for&nbsp;</div><div dir=”ltr”>downloading further plugins.&nbsp;</div><div dir=”ltr”>In our tests the 32 bit dll hasn’t downloaded any rootkit component, this</div><div dir=”ltr”>could mean that this part of the infection mechanism has been left out&nbsp;</div><div dir=”ltr”>of the game. (nu pot sa fiu sigur 100% ca nu descarca rootkitul).</div><div dir=”ltr”>But why would the authors leave out the rootkit? One possible cause is&nbsp;</div><div dir=”ltr”>the aggressive nature of the rootkit. By overwriting a legitimate driver it&nbsp;</div><div dir=”ltr”>risks rendering the system non-bootable (it might get deleted by an anti-</div><div dir=”ltr”>malware solution).</div></div><div class=”quotelevel1″><div dir=”ltr”>&gt; In both cases, this represents loss of control over a system, for the VX-</div><div dir=”ltr”>&gt; ers.</div></div><div class=”noquote”><div dir=”ltr”>In this case the VX-ers would lose control over the system, which&nbsp;</div><div dir=”ltr”>obviously isn’t their goal.</div><div dir=”ltr”>For surviving the reboot it employs a technique also used by the first&nbsp;&nbsp;</div><div dir=”ltr”>Sirefef/ZeroAccess variant (with the strange path&nbsp;</div><div dir=”ltr”>”\\??\globalroot\Device\__max++&gt;\”), namely CLSID Hijacking.&nbsp;</div><div dir=”ltr”>(Replacing the InprocServer32 entry from a well known ClassId from&nbsp;</div><div dir=”ltr”>HKLM\Software\Classes\CLSID).</div></div></body>

About the author

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

After research a couple of of the weblog posts on your web site now, and I truly like your means of blogging. I bookmarked it to my bookmark web site list and shall be checking back soon. Pls take a look at my site as nicely and let me know what you think.

Some AVs regularly update a tool to detect hidden rootkits, so perhaps the ZAccessers do not want to get caught up in a constant one-up battle. They may want to concentrate upon infecting those computers they can infect and not worry about constantly tweaking their code to stay hidden a few more hours.